Password validation¶
This guide explains how you can manage user passwords securely using multiple validation techniques, such as enforcing password expiration and imposing password complexity requirements.
Configure password validation¶
You may find the configuration options by following the steps below.
-
On the WSO2 Identity Server Console, navigate to Login & Registration.
-
Under Login Security, select Password Validation.
-
On the Password Validation page, use the following three options to validate passwords. Each option is explained in detail in the sections below:
- Rule-based password expiration: Define rules to control password expiration based on the user's groups and roles.
- Password history count: Specify how often users can reuse old passwords.
- Password input validation: Set requirements for password complexity by defining its length constraints and required character types.
-
Click Update to save the changes.
Rule-Based password expiration¶
Rule-based password expiration allows administrators to set custom password expiration rules based on the user's groups and roles. The higher a rule appears on the list, the greater its priority. Rules are evaluated based on their priorities and the first rule that matches the user's condition will take effect.
To configure rule-based password expiration,
-
Turn the Password Expiration toggle on to enable password expiration.
-
Set a default password expiry rule that applies to any user that does not meet the custom criteria.
-
Click Add Rule and start defining custom rules. Each subsequent rule you add will be added to the top of the list. You may use the arrows on the left to change their priorities.
Refer to the following table for more information on rule parameters.
Parameter | Description |
---|---|
Attribute | User attribute against which you are enforcing password expiry. Select either Groups or Roles . |
Values | Select the specific group/role. You may also select multiple values thus making the rule act as an AND operator, and is enforced only on users belonging to all selected groups/roles. |
Operator |
|
Expiration (days) | Passwords of users meeting the criteria expire after this number of days. |
Password history count¶
The Password History Count feature allows you to specify the number of unique new passwords a user must use before an old password can be reused. This enhances account security by preventing the reuse of old passwords.
To enable this, select the corresponding checkbox and configure the following option.
Parameter | Description |
---|---|
Password History Count | [Optional] The number of unique passwords that must be set before reusing an old password. Example: If set to 3 , the user cannot reuse the last three passwords they have set. |
Password input validation¶
The Password Input Validation feature enables you to set password complexity requirements which include minimum password length and required character types.
Configure the following parameters to enforce input validation.
Parameter | Description |
---|---|
Number of characters | You can add the minimum and maximum length of the password users should use. |
Mandatory characters | By default, a user password should contain at least one of the following characters.
|
Number of unique characters | [Optional] This field identifies the number of unique (non-repeated) characters the password should contain. |
Number of repeated characters | [Optional] This field identifies the number of characters that can be repeated consecutively in a user password. Example: If you assign 1 as the number of repeated characters, the password cannot contain any repeated characters consecutively. The password aa1@Znlq is incorrect as it has the character a appearing consecutively. |
Validation for whitespace in passwords
WSO2 Identity Server automatically trims leading and trailing whitespace from passwords when creating, updating, or entering passwords to login.